Interesting HIPS test- Delete Volume

It's all about risk.

Some behaviours are benign, and are expected. Other behaviours are malicious, and should be stopped.

The strength of a HIPS solution is it's effectiveness in categorising the risk associated these behaviours.

 

Mamutu didn't detect anything in Paranoid Mode, Alert Reduction Off.

DefenseWall didn't detect anything as expected.

Avira AntiVir detected it as TR/Dldr.Small.got.1

 

For those who are interested,

Under Vista 32 SP1, Primary Response SafeConnect v3.0.0.1443 did not detect this test.


Peace & Gratitude,

CogitoErgoSum

 

It seems that no matter what I'm saying mass paranoia about this so called exploit continues... I belive I'm wasting my time trying to convince somebody...

 

Destructive malware frankly is tough to deal with effectively while keeping a security product usable by most mere mortals. When a person sits down and really thinks about it, the data on our machines is very, very fragile. There are safeguards to keep most people from doing something inane like `del ntldr`, but that fact remains that there are thousands, tens of thousands, maybe hundreds of thousands of user mode and kernel mode API's (microsoft and third party) that can be used to delete, munge, or tamper with the data on the spinning disks inside our computers. I'm not saying that the test involving deleting a volume isn't an issue, what I'm saying is that the problem of data integrity and change control is by definition a difficult subject.

Cogito, thanks for the test!

p.s., I don't want to be seen as snotty/snarky/elitist, but using an API call is not an exploit. Please do not overload the term exploit, since it means something very specific.

 

I was also surprised it got past DefenseWall but not past Windows LUA and OA Run Safer.

 

...or Prevx2, and SafeSpace.


Mike

 

I'm afraid not.

 

No, they are not the greatest threat, because nowadays, most malware attacks are focused on financial gain, so a destructive file infector wouldn´t help hackers at all. But yes they are quite annoying, and I´ve also read that none destructive file infectors might make a comeback. Would be cool if HIPS could stop them.

I´m a bit surprised that it bypassed SBIE, I´ve also tested this kind of viruses, and virtualization should protect against overwriting (and modifying?) of executables. HIPS like TF and NG could only partially protect against it. Can you or CES perhaps put this malware on Rapidshare? TIA

I still wonder if this POC could have been used by malware in a real life attack. Anyone?

 

It absolutely could be used in a real life attack--CIH did the same sorta thing ten years ago

http://en.wikipedia.org/wiki/CIH_virus

 

What would this POC do? I mean, unmounting a drive is not something destructive in itself...

CIH overwrites important HDD sectors and tries to overwrite flash bios. This is very different from unmounting .

 

sorry, i wasn't clear and the analogy was a bit strained--using legit methods to do damage to data has been around for as long as computers have been around, that's all.

 

ESS nabbed it.

 

Just to be clear, you set the test file as Run Safer and ran it without Sandboxie and the test failed (it didn't delete the volume names). Then with the test file still set as Run Safer, you opened it in Sandboxie and the test worked (it deleted the volume labels). Is this correct?

Care to do another test ? Could you download DropMyRights and setup a shortcut that opens the file with DropMyRights and see if it works. Here's an example of the Shortcut target.

"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\Firefox.exe" (substitute Firefox with the location of the file and then click the shortcut to see if the test works or not).

Then create a shortcut that opens Sandboxie, DropMyRights and the test file.

"C:\Program Files\Sandboxie\Start.exe" /boxefaultBox "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\Firefox.exe" (Again, substitute the Firefox info with the location of the test file and substitute the DefaultBox name if yours is different and then click the shortcut to run).

Also, in both the above shortcuts, I have the "Start In" set as this.

"C:\Program Files\DropMyRights"

Here are easy instructions for DropMyRights. http://cybercoyote.org/security/drop.shtml

If you don't have the time to try this, Am I safe trying it with only Returnil protecting my System Partition?

Thanks,
innerpeace

 

Mailed to Brian and posted over CFP forums.

Comodo people will fix it I think.

http://forums.comodo.com/leak_testingattacksvulnerability_research/cfp_d_plus_failure-t20934.0.html

 

It is using 100% legitimate API calls. The only problem with it is it do not restore mount status back after reboot- so, it may harm the user.

It is the same thing...

 

Thanks for the clarification Pete. I'm also sure that Tzuk will look into this.

I was just curious as you know I have been saying for a while now that OA Run Safer does not show up as Deny/Owner in Process Explorer when running that Run Safer program sandboxed. That is why I use DropMyRights as it shows Deny/Owner when sandboxed.

I may feel brave tomorrow and give it a try.

 

Ok, I have exchanged a couple of mails with Brian and they are going to fix it with next update of GesWall.

 

I created a shortcut to run DeleteVolume.exe with DropMyRights and the test failed, it didn't delete the volumes. I rebooted afterwards.

I tried right-clicking the above shortcut and running it sandboxed with Sandboxie and my D: and E: volumes were deleted.

I tried the file with a complete shortcut in my other post above to start Sandboxie, DropMyRights and DeleteVolume.exe and my D: and E: volumes were deleted. I think this was mainly due to the shortcut starting Sandboxie before DMR.

FWIW, Avira wouldn't let me get close to the file, OA2 alerted to the .exe wanting to start and Returnil returned everything back to normal.

innerpeace

 

Hey innerpeace how have you been? I would love to do this test on my PC as you did with DropMyRights, but I'd be afraid I'd mess my PC up and have to DropMyPants in order to get it fixed. LOL. Seriously, I saw where Avira and another AV stopped this test and I was wondering if any other ones would?

 

LOL, I was a little hesitant myself as it was my first time attempting such a thing. As far as the Anti-Viruses go, VirusTotal had like 26 of 32 scanners detecting it and AVG was one of them. I had to disable Avira guard to run the test, plus I was using Returnil to virtualize my C: system partition. I also have a fairly recent backup.

 

Hi innerpeace

If you set up the firefox/opera/ie7 icons so that when you click on them it invokes Drop My Rights THEN loads the browser sandboxed. Does it still delete drives D & E?

You know that DMR loads first because there is a momentary flash of the black command prompt screen.

Terry